Re: NeVO Scan Application review

From: Ron Gula (rgula_at_tenablesecurity.com)
Date: 11/25/03

  • Next message: Teicher, Mark (Mark): "RE: Passive OS Fingerprinting was Cisco CTR etc"
    Date: Mon, 24 Nov 2003 21:35:26 -0500
    To: "Zach Forsyth" <Zach.Forsyth@kiandra.com>
    
    

    At 11:24 AM 11/25/2003 +1100, you wrote:
    >Hi Ron,
    >
    >Any comments on this article?
    >
    >http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss205_art411,00.
    >html
    >
    >Cheers
    >
    >Z

    Thanks for asking. Apologies in advance for the long post, but if you
    are reading this over the US Thanksgiving holiday, sit back and enjoy ;)

    We felt the article accurately reflected the operation of a stand-alone
    NeVO, but missed two key points. The first is that most large
    enterprises can't scan as often as they need to and NeVO can fill the
    gaps. The second is that NeVO was never really meant to be operated by
    itself, but in conjunction with active Nessus scanners, your choice of
    NIDS, the Lightning Console, hundreds of administrators and your CIO.

    Having said that, one of the conclusions of the article was that NeVO
    was not enterprise ready. The article was referring to a lack of a
    central console or reporting which in version 1.0 was true. However,
    with Lightning 2.0 and NeVO 1.2, this all changes. Both are shipping,
    btw. You can place as many passive NeVOs, Nessus scanners and NIDS as
    you need across an enterprise and do full passive and active
    vulnerability correlation with Snort, Dragon, ISS, Intrusheild, etc.
    The Console also tracks your vulnerabilities, IDS events, security
    workflow across business units, critical network assets, the network
    topology and produces detailed and executive reports.

    Even if someone does not deploy NeVO with Lightning, they still get
    their raw vulnerability information for "free" without crashing their
    new VOIP switch. We have several "Nessus" friendly customers who have
    developed their own reporting and have seamlessly dropped NeVO into
    their operations. Also, I can't release the name of the site, but we
    have been running NeVO on a popular security portal and received 67,000
    unique visitors over a two week period. Of those visitors, NeVO
    passively identified vulnerabilities in many of the web and smtp clients
    and servers which interacted with the site. The point here is scale for
    large enterprises. One NeVO scanner can provide a very detailed look
    into the operating systems, network clients, network servers and
    vulnerabilities involved on the largest enterprise networks.

    Since NeVO is on 'all' of the time and it matches for specific
    vulnerabilities, that means that the vulnerability and IDS correlation
    which occurs at the Lightning Console is that much more accurate. Our
    concern at Tenable is that doing correlation based on 'old' vulnerability
    data (like on a month old Nessus scan) or 'relavent' vulnerability data
    (like all of the IIS security holes) can produce false correlations. The
    Lightning Console is a tool to communicate security info with non-security
    admins. If we are going to send an alarm page about an attack to a DNS
    admin at 3:00 am, I want to be very sure that her DNS server is indeed
    vulnerable. NeVO helps the Lightning Console get there and maintain
    that sort of accuracy.

    And for those of you who don't like unix, NeVO will be available on
    Windows 2000 and Windows XP with a shinny user interface early next year.
    If you have seen our NeWT vulnerability scanner, it will have the same
    sort of look and feel, but be passive.

    Apologies for the long post ...

    Ron Gula, CTO
    Tenable Network Security
    http://www.tenablesecurity.com

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Teicher, Mark (Mark): "RE: Passive OS Fingerprinting was Cisco CTR etc"

    Relevant Pages

    • RE: NeVO Scan Application was RE: Cisco CTR
      ... Subject: NeVO Scan Application was RE: Cisco CTR ... >but passively through network packet/session monitoring. ... >looking for change in the network, it also looks for the vulnerability. ...
      (Focus-IDS)
    • Re: Cisco CTR
      ... >>number of hops separating the sensor from the remote hosts, ... > things to be fully explored by active vulnerability scanners ... that's why we suggest using NeVO in conjunction with the lightning ...
      (Focus-IDS)
    • Re: Cisco CTR
      ... >Just curious on how NeVO compares to Intrusec Expose ?? ... other vulnerability scanners when change was detected. ... network, it also looks for the vulnerability. ...
      (Focus-IDS)
    • RE: Cisco CTR
      ... The overlap in NeVo, Expose', and RNA is that they ... all aim to fix the common problem IT and security administrators have had ... How confident are you that the state of your network yesterday is ... although a vulnerability may not be present, could be a policy violation or ...
      (Focus-IDS)
    • Re: Cisco CTR
      ... I work for Tenable Security, so I may be a little biased;-) ... however, if you're into passive vulnerability scanning, you may ... also wish to check out Nevo from Tenable Security. ... most highly-anticipated industry event of the year. ...
      (Focus-IDS)